New SolarWinds CEO Sudhakar Ramakrishna struck a different tone in his first public communication just seven days after starting as CEO of the embattled IT infrastructure management vendor. Unlike his predecessor Kevin Thompson, who is an accountant by training and led the firm from March 2010 to December 2020, Ramakrishna comes from a security background, having most recently led Pulse Secure.
During his five years as Pulse Secure’s CEO, Ramakrishna had to deal with hackers exploiting a widely known flaw in the company’s VPN appliance to carry out ransomware attacks many months after a patch had already been rolled out. Ramakrishna said Thursday the experience taught him to lead with humility, ownership, transparency, focused action, and bias toward customer safety and security.
“Although I accepted the position to become CEO before the Company [SolarWinds] was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers,” Ramakrishna wrote in a blog post published late Thursday.
From resetting privileged credentials and re-signing all digital certificates to manually checking source code and rolling out more threat hunting software, here are five critical changes Ramakrishna will make to put security front and center.
5. Leverage third-party tools, ethical hackers for insight
Ramakrishna said SolarWinds will leverage third-party tools to expand the security analysis of the source code for Orion software as well as related products. The company also pledges to engage with and fund ethical hacking from white hat communities to quickly identify, report and remediate security issues across the entire SolarWinds portfolio, according to Ramakrishna.
Vulnerability disclosure programs are nearly as old as the internet itself but didn’t gain traction until the early 2010s when companies like Microsoft, Google, Facebook and Mozilla rolled out programs of their own. Companies without a formal vulnerability disclosure policy often remain in the dark about known flaws in their architecture, with hackers not reporting flaws they’ve found due to fear of retaliation.
Vulnerability disclosure programs are therefore becoming accepted as an industry best practice, CRN reported in February 2018, and are recommended by everyone from the U.S. Department of Defense to the Food and Drug Administration. But despite the regulatory guidance, HackerOne found in early 2018 that just 6 percent of the Forbes Global 2000 companies have a known vulnerability disclosure policy.
4. Lean on vulnerability management, pen testing
SolarWinds will expand its vulnerability management program to reduce the company’s average time-to-patch and better enable the company to work with the external security community, according to Ramakrishna. The company also plans to perform extensive penetration testing on Orion and related products to identify any potential issues, which will be resolved with urgency, Ramakrishna said.
The New York Times reported Jan. 2 that common security practices were eschewed during the tenure of former CEO Thompson because of their expense. Some of the eschewed security measures may have put SolarWinds and its customers at greater risk for attack, according to The New York Times. SolarWinds declined to comment on the claims in the Times piece.
Specifically, the Times reported that under Thompson, SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the compromised Orion software. SolarWinds said the manipulation of Orion was done by human hackers rather than a computer program, but hasn’t addressed whether insiders were involved in the attack.
3. Ensure the security, integrity of SolarWinds software
Ramakrishna said SolarWinds is adding additional automated and manual checks to ensure that compiled releases match the company’s source code. The company also plans to re-sign all Orion platform software and related products, as well as all other SolarWinds products, with new digital certificates, according to Ramakrishna.
The malicious backdoor wasn’t evident in the Orion products’ source code but appears to have been inserted during the Orion software build process, SolarWinds disclosed Dec. 17. SolarWinds said Dec. 17 it’s still investigating its non-Orion products, but to date hadn’t seen any evidence that they’re impacted by the backdoor attack believed to be carried out by the Russian foreign intelligence service, or APT29.
SolarWinds MSP told its 15,000 solution provider customers Dec. 16 that it would yank the digital certificates for its MSP tools, revoking them in four days’ time, and force customers to “digitally re-sign” into its products. SolarWinds MSP said it began issuing the new certificates on Dec. 17 and planned to revoke all its old certificates by Dec. 21, according to an email from SolarWinds MSP General Manager John Pagliuca.
2. Enhance SolarWinds’ product development environment
Ramakrishna said SolarWinds is performing an ongoing forensic analysis of its product development environments to identify root causes of the breach and take remediation steps. The company also plans to move to a completely new build environment with stricter access controls and deploy mechanisms to facilitate reproducible builds from multiple independent pipelines, Ramakrishna said.
SolarWinds said Dec. 17 that the hotfix updates released in recent days should, when implemented, close the backdoor on vulnerable SolarWinds Orion network monitoring products. The company said at the time that it had retained third-party cybersecurity experts to help the company secure its systems following the attacks against the U.S. government and private firms like FireEye and Microsoft via Orion.
SolarWinds said its Orion platform meets the security requirements of U.S. federal and state agencies following the release of a final hotfix Dec. 15. Federal agencies that had used compromised SolarWinds products must fully rebuild their Orion infrastructure and reset of all accounts that are currently—or have been—used by the system, the Cybersecurity and Infrastructure Security Agency said Wednesday.
1. Better secure the company’s internal environment
Ramakrishna said SolarWinds plans to prioritize securing its internal environment as a central part of the company’s operational fabric moving forward. For starters, the company will consolidate remote and cloud access avenues for accessing the SolarWinds network and applications by enforcing multifactor authentication, according to Ramakrishna.
The company also plans to reset credentials for all users in the corporate and product development domains, Ramakrishna said. This includes resetting the credentials for all privileged accounts as well as all accounts used in building the Orion platform and related products, according to Ramakrishna.
SolarWinds further plans to deploy more threat protection and threat hunting software on all network endpoints, with a critical focus on development environments, according to Ramakrishna. The company announced Dec. 17 that it had rolled out CrowdStrike’s Falcon Endpoint Protection across the endpoints on its systems to ensure its internal systems were secure following the massive Russian cyberattack.